The number of companies coming forward as victims of a data breach – that potentially exposed hundreds of thousands of credit card payment information – has expanded to include Best Buy and Kmart.

Last week, software service provider [24]7.ai, a company that provides online chat services for Delta, Sears and other companies, announced that its platform was a victim of a data breach in 2017. Hackers targeting [24]7.ai were able to collect payment information for its clients.

On Wednesday, Delta Air Lines and Sears came forward to announce that they had been impacted – and on Friday, the number of impacted companies expanded to include Best Buy, which said in a statement that a “small fraction” of its customers have had their payment information compromised due to a [24]7.ai malware attack that lead to the breach.

“Since we were notified by [24]7.ai, we have been working to determine the extent to which Best Buy online customers’ information was affected,” said Best Buy in a statement.

“We have done that in collaboration with our third-party vendor and have notified law enforcement,” said the statement. “As best we can tell, only a small fraction of our overall online customer population could have been caught up in this [24]7.ai incident, whether or not they used the chat function.”

Best Buy said that it will contact any impacted customers directly.

The attacks began on Sept. 26, 2017 and continued through Oct. 12, according to [24]7.ai. The service provider said there systems were targeted in a malware attack, but declined to detail the nature of the incident or how many clients were impacted. The company said last week that their systems are now secure.

Kmart, which is owned by Sears Holdings, said in a statement that it is “working closely with federal law enforcement authorities, our banking partners, and IT security firms in this ongoing investigation. We cannot comment on any specific activities by those parties; please direct any questions to them.”

In a statement, [24]7.ai said that a “small number of our client companies” were impacted.

Last week, the attack was first pegged as potentially exposing the credit card information of hundreds of thousands of Delta Air Lines and Sears Holdings customers.

Sears, which said in a statement they were informed of the breach in mid-March, said it believed the incident involved access to less than 100,000 customers’ credit card information.

Delta, meanwhile, said only “a small subset” of customers had been impacted, but did not specify the number. The airline company was informed of the breach on March 28.

“The question needs to be asked, who are our partners, what are their security practices, what data are we sharing, and what systems will they have access to? In this example, [24]7.ai – the software service provider for Sears (and many other large retail and airline brands) – became the source for the breach exposing customer credit card data,” said Anthony James, CMO at CipherCloud.